Knowledge Center / ISO 28000
ISO · Global

ISO 28000 (Supply Chain Security)

Management system for security of the supply chain.

Introduction: ISO 28000 and the Security of the Supply Chain

ISO 28000:2022, Security and resilience — Security management systems — Requirements, is the international standard that specifies the requirements for a security management system (SMS), including the aspects critical to the security assurance of the supply chain. Originally published in 2007 and comprehensively revised in 2022, ISO 28000 provides organisations of any size or sector with a management-system framework for identifying, assessing, treating and monitoring security risks that arise across their end-to-end supply chains — from raw-material sourcing and inbound logistics, through manufacturing and warehousing, to distribution, transport and final delivery.

The 2022 revision realigned ISO 28000 with the ISO Harmonised Structure (formerly Annex SL / High-Level Structure) that governs all modern ISO management-system standards such as ISO 9001, ISO 14001, ISO 22301 and ISO/IEC 27001. This means ISO 28000 now shares the same ten-clause architecture, common terminology and Plan-Do-Check-Act (PDCA) logic, making it far easier to integrate a supply-chain security management system with an organisation's existing quality, environmental, business-continuity or information-security systems. Security in ISO 28000 is deliberately broad: it embraces physical security, personnel security, information and cyber security, transportation and cargo security, threats from terrorism, smuggling, theft, sabotage, piracy, fraud, natural hazards and other malicious or accidental disruptions to the supply chain.

ISO 28000 is a certifiable standard. An organisation can seek third-party certification from an accredited certification body, or use the standard for self-declaration, first-party or second-party (customer) assessment. It sits at the heart of the ISO 28000 family (the '28000 series'), which includes guidance and sector-specific companion standards for maritime port facilities, resilience in the supply chain, and best-practice implementation. This guide provides an auditor-grade, clause-by-clause treatment of ISO 28000:2022 for both the assessor and the implementing security/CISO team.

Copyright note
ISO 28000:2022 is a copyrighted standard owned by the International Organization for Standardization (ISO). CyberSigma does not reproduce the normative text of the standard. To implement or certify, you must purchase an official copy of ISO 28000:2022 (and any companion standards such as ISO 28001, ISO 28003, ISO 28004 and ISO 22301) from ISO or an authorised national standards body (for example BIS in India, BSI in the UK, ANSI in the US). All summaries, checklists and tables below are CyberSigma's original interpretation for assessment purposes and are not a substitute for the standard itself.

What Is ISO 28000?

ISO 28000:2022 specifies the requirements for establishing, implementing, maintaining and continually improving a security management system (SMS) to enhance the security of supply chains. The word 'security' here refers to the resistance to intentional, unauthorised acts designed to cause harm or damage to, or by, the supply chain — supplemented by resilience against accidental and natural disruptions. The standard is generic and intended to be applicable to all organisations (or parts thereof), regardless of type, size or nature, that wish to establish, implement, maintain and improve an SMS; to assure conformity with a stated security-management policy; and to demonstrate that conformity to others.

Key characteristics of ISO 28000:2022:

  • Risk-based: the SMS is driven by a documented security risk assessment and treatment process that considers threats, vulnerabilities, likelihood and consequence across the supply chain.
  • Management-system based: it follows the ten-clause Harmonised Structure with the PDCA cycle, requiring policy, planning, support, operation, performance evaluation and improvement.
  • Broad security scope: physical, personnel, procedural, information/cyber, transport and cargo, and environmental/natural-hazard dimensions of supply-chain security.
  • Lifecycle across the supply chain: covers manufacturing, servicing, storage/warehousing, transport (road, rail, sea, air, pipeline), and the flow of goods, information, funds and people.
  • Integrable and certifiable: designed to be aligned and integrated with ISO 9001, ISO 14001, ISO 22301, ISO/IEC 27001 and ISO 31000, and auditable by accredited certification bodies.
  • Applicable to any tier: usable by a single logistics operator, a global manufacturer, a port operator, a freight forwarder, a 3PL/4PL provider or an entire multi-tier supply network.

ISO 28000 differs from prescriptive security regulations (such as the WCO SAFE Framework, C-TPAT or the ISPS Code) in that it does not mandate a fixed list of controls; instead it requires the organisation to determine appropriate controls based on its own risk assessment. It complements those schemes and can be used to operationalise their requirements within a single, auditable management system. The 2022 edition also strengthened leadership, context, planning-of-changes and operational-planning requirements relative to the 2007 edition.

Who Must Comply / Scope of Applicability

ISO 28000 is voluntary — no law compels adoption — but many organisations pursue it because customers, regulators, insurers or trading partners require demonstrable supply-chain security. It is most relevant to any entity that owns, operates within, or depends upon a supply chain where security failures would cause loss, injury, regulatory breach or reputational damage. The following table summarises the principal categories of organisation for which ISO 28000 is applicable and the typical drivers.

Organisation type / sectorWhy ISO 28000 appliesTypical driver
Manufacturers and producersProtect inbound materials, in-process goods and finished-product flows from theft, tampering and counterfeitingCustomer/OEM contractual requirement; brand protection
Logistics, freight forwarders, 3PL/4PLSecure cargo in transit and in storage across multiple modes and jurisdictionsAEO/C-TPAT alignment; carrier and shipper requirements
Ports, terminals and maritime operatorsProtect port facilities, vessels and cargo (complements ISPS Code, ISO 28001/28004)Regulatory and international trade security
Warehousing and distribution centresPhysical and inventory security; access control; personnel vettingInsurance; loss prevention; retailer mandates
Air cargo and aviation supply chainSecure air freight, known-consignor status, screening integrityCivil aviation security regulation (e.g. RA3/ACC3)
Retailers and consumer-goods brandsEnd-to-end product integrity and anti-diversionConsumer safety; anti-grey-market
Pharmaceutical and medical-device supply chainsCold-chain and product-integrity security; serializationGDP/GMP; anti-counterfeiting regulation
Critical-infrastructure and utilities suppliersProtect supply of essential goods/services from sabotage and disruptionNational resilience mandates
Government and defence procurement chainsAssurance of supplier security posture across tiersSovereign security and export-control requirements
Financial-value cargo (cash, bullion, high-value electronics)High-theft-risk consignment protectionInsurer and CIT (cash-in-transit) requirements

Scope of applicability within an organisation: ISO 28000 allows an organisation to define the boundaries and applicability of its SMS. The scope may cover the whole organisation, a single site, a business unit, a specific product line, a mode of transport, or a defined segment of the supply chain. The scope must be documented and must consider internal and external issues, interested parties, and the interfaces and dependencies with activities performed by other organisations (suppliers, sub-contractors, partners). Unlike ISO/IEC 27001, ISO 28000 does not carry an Annex A of mandatory candidate controls — the control set is derived entirely from the organisation's risk assessment, though ISO 28004 and ISO 28001 offer guidance on suitable controls.

Structure of ISO 28000:2022

ISO 28000:2022 follows the ISO Harmonised Structure of ten clauses. Clauses 1 to 3 are introductory (scope, normative references, terms and definitions) and contain no auditable requirements. Clauses 4 to 10 contain the requirements against which an organisation is assessed and certified. The table below maps the clause architecture and the principal requirement areas of each — this is the normative backbone of the SMS.

ClauseTitlePrincipal requirement areas
1ScopeStatement of applicability of the standard (informative)
2Normative referencesReferenced documents (informative)
3Terms and definitionsVocabulary, including supply chain, security, SMS (informative)
4Context of the organisation4.1 Understanding the organisation and its context; 4.2 Needs and expectations of interested parties; 4.3 Determining the scope of the SMS; 4.4 SMS and its processes
5Leadership5.1 Leadership and commitment; 5.2 Security policy; 5.3 Organisational roles, responsibilities and authorities
6Planning6.1 Actions to address risks and opportunities (incl. 6.1.2 security risk assessment and 6.1.3 treatment); 6.2 Security objectives and planning to achieve them; 6.3 Planning of changes
7Support7.1 Resources; 7.2 Competence; 7.3 Awareness; 7.4 Communication; 7.5 Documented information
8Operation8.1 Operational planning and control; 8.2 Identification of processes and activities; 8.3 Risk assessment and treatment (operational); 8.4 Security controls and strategies; 8.5 Security plans; incident management / response
9Performance evaluation9.1 Monitoring, measurement, analysis and evaluation; 9.2 Internal audit; 9.3 Management review
10Improvement10.1 Continual improvement; 10.2 Nonconformity and corrective action

In addition to the ten clauses, the ISO 28000 family provides supporting standards that assessors and implementers should be aware of. These are summarised below.

StandardTitle / purposeRelationship to ISO 28000
ISO 28000:2022Security management systems — RequirementsThe certifiable requirements standard (this guide)
ISO 28001:2007Best practices for implementing supply chain securityGuidance on security assessments and plans, medium-security supply chains
ISO 28003:2007Requirements for bodies providing audit and certificationAccreditation/certification-body requirements
ISO 28004 seriesGuidelines for the implementation of ISO 28000Practical implementation guidance and control examples
ISO 22301Business continuity management systemsComplementary resilience management system; frequently integrated
ISO 31000Risk management — GuidelinesUnderpins the risk-assessment methodology of Clause 6

Master Assessment Checklist

This is the core of the guide. Each auditable clause (4 to 10) and its sub-clauses are enumerated below with a dedicated table stating what the assessor must verify and the typical evidence to request. No requirement area is omitted. Findings should be graded as conformity, minor nonconformity, major nonconformity, or opportunity for improvement (OFI), consistent with ISO 28003 / ISO 19011 audit conventions.

Clause 4 — Context of the Organisation

What to verifyTypical evidence
4.1 The organisation has determined internal and external issues relevant to its purpose that affect the SMS and supply-chain security outcomesContext analysis, PESTLE/SWOT, threat landscape assessment, environmental scan documentation
4.2 Interested parties relevant to the SMS and their relevant requirements (legal, regulatory, contractual, customer) are identified and monitoredStakeholder register, legal/regulatory register, customer security requirement matrix
4.3 The scope of the SMS is determined and documented, considering context, interested parties and supply-chain interfaces/dependenciesDocumented SMS scope statement; boundary/site list; interface and dependency map
4.4 The SMS and its processes are established, implemented, maintained and continually improved with defined process interactionsSMS manual/description; process map; PDCA process definitions; process owners

Clause 5 — Leadership

What to verifyTypical evidence
5.1 Top management demonstrates leadership and commitment: accountability, integration of the SMS into business processes, provision of resources, and promotion of continual improvementManagement-review minutes, resource-allocation records, leadership communications, budget approvals
5.2 A documented security policy is established, appropriate to purpose, provides a framework for objectives, includes commitment to satisfy requirements and continual improvement, and is communicatedSigned security-management policy; distribution/communication records; intranet/notice postings
5.3 Roles, responsibilities and authorities for the SMS are assigned, communicated and understood; a security manager/management representative is designatedOrganisation chart; RACI matrix; security-manager appointment letter; job descriptions

Clause 6 — Planning

What to verifyTypical evidence
6.1.1 Risks and opportunities arising from context and interested parties are determined and addressed to give assurance the SMS can achieve outcomes and prevent/reduce undesired effectsRisk-and-opportunity register; planning records; integration into SMS actions
6.1.2 A documented security risk assessment process is defined and applied: identification of threats/hazards, vulnerabilities, likelihood and consequence across the supply chainRisk-assessment methodology; threat/vulnerability register; risk criteria; risk assessment reports
6.1.3 Security risk treatment: options selected, controls determined, residual risk evaluated and accepted by risk owners; a statement of applicability of chosen controlsRisk-treatment plan; control selection rationale; residual-risk acceptance sign-off; risk owner records
6.2 Measurable security objectives are established at relevant functions/levels, consistent with the policy, monitored, communicated and updated; plans define what, who, resources, timing and evaluationSecurity-objectives register; objective action plans; KPI targets; review records
6.3 Changes to the SMS are planned in a controlled manner (purpose, consequences, integrity, resources, responsibilities)Change-management procedure; change requests/logs; impact assessments

Clause 7 — Support

What to verifyTypical evidence
7.1 Resources needed for the SMS (people, infrastructure, technology, finance) are determined and providedBudget records; resource plans; equipment/technology inventory; staffing plans
7.2 Competence of persons affecting security performance is determined, ensured (education, training, experience) and evaluated; actions taken to acquire competenceCompetence matrix; training records; certifications; recruitment criteria; effectiveness evaluations
7.3 Persons are aware of the security policy, their contribution to the SMS, and implications of nonconformityAwareness-programme records; induction packs; toolbox talks; awareness quiz results
7.4 Internal and external communication needs are determined (what, when, with whom, how, by whom) including with supply-chain partners and authoritiesCommunication plan/matrix; stakeholder communications log; escalation contact lists
7.5 Documented information required by the standard and by the organisation is created, controlled (identification, format, review, approval, version, access, retention, disposition)Document control procedure; master document list; version history; access controls; retention schedule

Clause 8 — Operation

What to verifyTypical evidence
8.1 Operational processes needed to meet requirements and implement Clause 6 actions are planned, implemented and controlled, with criteria and control of outsourced processesOperational procedures; control criteria; outsourced-process control agreements; SLAs
8.2 Security-relevant processes and activities across the supply chain are identified, including physical, personnel, information, transport and cargo security touchpointsProcess inventory; supply-chain flow/asset maps; site security surveys
8.3 Operational-level security risk assessment and treatment is performed and kept current for actual operations and changesOperational risk assessments; site-specific risk registers; reassessment triggers
8.4 Security controls and strategies (physical access, surveillance/CCTV, screening, seals/locks, vetting, cyber controls, cargo integrity, supplier controls) are selected and operatingControl-implementation records; access logs; CCTV/alarm records; seal logs; supplier security clauses
8.5 Security plans are documented, implemented and maintained for normal, elevated-threat and incident conditions; response and recovery procedures are defined and exercisedSecurity plans; emergency/incident response plans; exercise/drill reports; recovery procedures

Clause 9 — Performance Evaluation

What to verifyTypical evidence
9.1 What is monitored/measured, the methods, and when analysis/evaluation occurs are defined; security performance and SMS effectiveness are evaluated with retained evidenceMonitoring plan; KPI dashboards; measurement records; analysis reports
9.2 A planned internal audit programme evaluates conformity to the standard and to the organisation's requirements and effective implementation; auditor objectivity ensured; results reportedAudit programme/schedule; audit plans; auditor competence/independence records; audit reports; NC log
9.3 Top management reviews the SMS at planned intervals covering status of actions, changes, performance, audit results, nonconformities, risk changes, opportunities for improvementManagement-review agenda and minutes; input packs; decisions/action items; resource decisions

Clause 10 — Improvement

What to verifyTypical evidence
10.1 The organisation continually improves the suitability, adequacy and effectiveness of the SMSImprovement register; trend analysis; before/after performance data
10.2 Nonconformities are reacted to, controlled and corrected; root cause is determined; corrective actions are implemented and their effectiveness reviewed; documentedNonconformity/corrective-action reports (CAPA); root-cause analyses; effectiveness verification records

Supply-Chain Security Control Domains (Operational Verification)

Because Clause 8 requires the organisation to derive its own controls, the assessor must verify the actual security controls in operation. ISO 28004 and ISO 28001 group these into functional domains. The following table enumerates the operational control domains that a competent SMS should cover.

What to verifyTypical evidence
Physical and facility security: perimeter, access control, intrusion detection, CCTV, lighting, secure storage of high-value/high-risk goodsSite security plans; access-control system logs; CCTV coverage maps; alarm test records
Personnel security: pre-employment screening/vetting, background checks, contractor/visitor management, insider-threat controlsVetting policy; background-check records; visitor logs; contractor security agreements
Information and cyber security: protection of shipment data, EDI/manifests, systems integrity (integration with ISO/IEC 27001)Access-control lists; encryption evidence; ISMS interface; data-classification records
Cargo and conveyance security: container/trailer inspection (7-point/17-point), high-security seals (ISO 17712), load integrity, tracking/telematicsSeal registers; inspection checklists; GPS/telematics reports; tamper-evidence records
Transport and route security: route risk assessment, secure parking, driver protocols, escort/convoy for high-risk cargoRoute risk assessments; transport security procedures; driver briefings; incident maps
Business-partner / supplier security: supplier security requirements, assessment/audit of partners, contractual security clausesSupplier security questionnaires; audit reports; contract security annexes; approved-vendor list
Procedural security: documentation control, manifesting accuracy, chain-of-custody, reconciliation, anti-diversionManifesting procedures; chain-of-custody records; reconciliation reports; discrepancy logs
Incident, threat and crisis management: threat-level escalation, security incident reporting, investigation, liaison with authoritiesIncident log; escalation matrix; investigation reports; law-enforcement liaison records

Scoping and Materiality / Tiering

Defining an appropriate SMS scope and prioritising effort by materiality is essential to a cost-effective and auditable implementation. ISO 28000 does not prescribe a tiering model, but assessors expect the organisation to demonstrate a rational, risk-based approach to what is in scope and where controls are concentrated.

  • Boundary definition: fix the organisational, geographic and supply-chain boundaries of the SMS (which sites, entities, modes and segments are covered), and record explicit exclusions with justification.
  • Criticality/materiality assessment: rank supply-chain nodes and flows by value at risk, threat exposure, consequence of disruption, and regulatory/contractual sensitivity.
  • Tiering of suppliers and nodes: classify partners into tiers (e.g. Tier 1 direct/critical, Tier 2 significant, Tier 3 low-impact) and apply proportionate security requirements and assurance depth.
  • Threat-level tiering: define graded security postures (normal / elevated / high / severe) and pre-agreed control uplifts for each, aligned with national threat advisories.
  • High-value / high-risk cargo designation: identify goods requiring enhanced controls (theft-attractive, hazardous, controlled, or safety-critical) and apply stricter chain-of-custody.
  • Interface and dependency treatment: where activities are outsourced, define the type and extent of control retained and the assurance obtained over the outsourced party.
Materiality tierDefinitionControl and assurance expectation
Tier 1 — CriticalNodes/partners whose failure causes major loss, safety, regulatory or continuity impactFull control set; direct audit; continuous monitoring; contractual security obligations
Tier 2 — SignificantMeaningful value or exposure but with mitigations/alternatives availableCore controls; periodic assessment; questionnaire plus targeted audit
Tier 3 — StandardRoutine, low-value or easily substitutable nodesBaseline controls; self-assessment/questionnaire; sampling
Excluded (justified)Out-of-scope activities with documented rationaleNo SMS controls; documented exclusion and periodic re-validation

Implementation Approach

A phased implementation aligned to the PDCA cycle allows an organisation to build the SMS in a controlled, evidence-generating manner. The following phases (with activities and deliverables) reflect a typical 9–12 month implementation to certification readiness.

Phase 1 — Initiate and Establish Context (Plan)

  • Activities: secure top-management sponsorship; define provisional scope; perform context (Clause 4.1) and interested-party (4.2) analysis; establish legal/regulatory/contractual register; appoint the security manager and project team.
  • Deliverables: project charter; SMS scope statement; context analysis; stakeholder and legal registers; governance/RACI.

Phase 2 — Risk Assessment and Treatment Planning (Plan)

  • Activities: adopt a risk methodology (aligned to ISO 31000); map supply-chain flows and assets; identify threats, vulnerabilities and consequences; assess and evaluate risks; select treatment options and controls; obtain risk-owner acceptance of residual risk.
  • Deliverables: risk-assessment methodology; threat/vulnerability and risk registers; risk-treatment plan; statement of applicable controls; residual-risk acceptance.

Phase 3 — Design the SMS and Documentation (Plan)

  • Activities: draft security policy and objectives; define processes and procedures; design document-control and record-keeping; define competence, awareness and communication plans; design monitoring and measurement.
  • Deliverables: security policy; objectives register; SMS manual and procedures; document-control procedure; competence and communication plans; KPI framework.

Phase 4 — Implement Controls and Operate (Do)

  • Activities: deploy physical, personnel, information, cargo, transport, procedural and partner controls; implement security plans for normal/elevated/incident states; roll out training and awareness; onboard supplier security requirements.
  • Deliverables: implemented controls with operating records; security plans; incident-response procedures; training records; supplier security agreements.

Phase 5 — Monitor, Audit and Review (Check)

  • Activities: collect KPIs and monitoring data; conduct security exercises/drills; run the internal audit programme; hold management review; log and act on nonconformities.
  • Deliverables: monitoring/KPI records; exercise reports; internal audit reports; management-review minutes; nonconformity/corrective-action log.

Phase 6 — Improve and Certify (Act)

  • Activities: close corrective actions; conduct pre-assessment/gap review; select an accredited certification body; complete Stage 1 (documentation) and Stage 2 (implementation) audits; establish continual-improvement cadence.
  • Deliverables: closed CAPAs; certification-readiness report; Stage 1/Stage 2 audit outcomes; certificate of registration; surveillance-audit plan.

Maturity / Capability Model

While ISO 28000 certification is pass/fail against the requirements, organisations benefit from tracking capability maturity to prioritise investment and demonstrate continual improvement. The following five-level model (adapted from common CMMI-style scales) can be applied to each clause area and control domain.

LevelNameCharacteristics
1Initial / Ad hocSecurity handled reactively; no documented SMS; controls inconsistent; reliant on individuals
2Developing / RepeatableBasic policy and procedures exist for key areas; risk assessment partial; documentation incomplete
3DefinedSMS documented and aligned to ISO 28000 clauses; risk-based controls implemented across scope; roles defined
4Managed / MeasuredPerformance monitored via KPIs; internal audits and management reviews operating; data-driven decisions
5OptimisingContinual improvement embedded; predictive risk management; integrated with other management systems; benchmarked

Assessment and Audit Approach

An ISO 28000 audit (whether internal, certification Stage 1/2, or surveillance) should be conducted per ISO 19011 (auditing guidelines) and, for certification bodies, ISO 28003 / ISO/IEC 17021-1. The recommended sequence is set out below.

  1. Define audit objectives, scope and criteria (ISO 28000:2022 plus the organisation's own SMS documentation and applicable legal/contractual requirements).
  2. Conduct a Stage 1 / documentation review: assess context, scope, policy, risk assessment, risk-treatment plan and readiness for Stage 2.
  3. Plan the Stage 2 / implementation audit: prepare the audit plan, allocate competent auditors, and schedule site and process sampling.
  4. Perform an opening meeting to confirm scope, logistics, confidentiality and reporting arrangements with the auditee.
  5. Gather evidence through interviews, document/record review, direct observation of controls, and sampling across sites, modes and supply-chain nodes.
  6. Test operating effectiveness of controls (e.g. access control, seal integrity, screening, incident response) and trace samples end-to-end through chain-of-custody.
  7. Evaluate findings against each clause; classify as conformity, minor NC, major NC or OFI, with objective evidence recorded for each.
  8. Hold a closing meeting to present findings, agree the significance of nonconformities and confirm the corrective-action timeline.
  9. Issue the audit report; the auditee performs root-cause analysis and submits a corrective-action plan for major/minor nonconformities.
  10. Verify corrective-action effectiveness (evidence review or follow-up visit); recommend certification/continuation; schedule surveillance audits and the three-year recertification.

Evidence Request List

The assessor should request the following documented information and records, organised by category. This list supports both a readiness (gap) assessment and a formal certification audit.

  • Context and scope: context analysis; interested-party register; SMS scope statement; supply-chain flow and asset maps; interface/dependency register.
  • Leadership and policy: signed security policy; leadership commitment evidence; organisational chart; RACI; security-manager appointment.
  • Legal and compliance: legal/regulatory register; customer/contractual security requirements; permits/licences; export-control records.
  • Risk management: risk-assessment methodology; threat/vulnerability and risk registers; risk-treatment plan; statement of applicable controls; residual-risk acceptance.
  • Objectives and planning: security-objectives register and action plans; change-management records; KPI targets.
  • Support: resource/budget records; competence matrix and training records; awareness-programme evidence; communication plan; document-control procedure and master list.
  • Operation — physical: site security plans; access-control and CCTV/alarm records; secure-storage arrangements.
  • Operation — personnel: vetting/background-check policy and records; visitor and contractor logs; insider-threat controls.
  • Operation — cargo/transport: seal registers (ISO 17712); container/trailer inspection checklists; telematics/GPS logs; route risk assessments; driver procedures.
  • Operation — information/cyber: data-classification; access controls; ISMS interface (ISO/IEC 27001); shipment-data protection evidence.
  • Operation — partners: supplier security questionnaires; partner audit reports; contract security annexes; approved-vendor list.
  • Security plans and incidents: normal/elevated/incident security plans; incident/investigation reports; drill/exercise reports; law-enforcement liaison records.
  • Performance and improvement: monitoring/KPI dashboards; internal audit programme and reports; management-review minutes; nonconformity/CAPA log; continual-improvement register.

Roles and Responsibilities

RoleKey responsibilitiesSMS clause linkage
Top management / boardOverall accountability; approve policy and resources; conduct management review; embed SMS into businessClause 5.1, 9.3
Security manager / SMS representativeEstablish, maintain and report on the SMS; coordinate risk assessment, audits and improvementClause 5.3, 6, 9
Risk ownersAccept and manage residual security risks in their areas; approve treatmentsClause 6.1.3
Site / facility security officersImplement and operate physical, personnel and procedural controls on siteClause 8.4, 8.5
Logistics / transport managersEnsure cargo, conveyance and route security controls in transitClause 8.2–8.5
Procurement / supplier managementImpose and assure supplier security requirements; manage partner auditsClause 8.1, 8.4
IT / information security (CISO)Protect shipment and SMS information; integrate with ISO/IEC 27001Clause 8.4, 7.5
HRPersonnel screening, competence, awareness and training administrationClause 7.2, 7.3, 8.4
Internal auditIndependently audit SMS conformity and effectiveness; report to managementClause 9.2
All employees and contractorsFollow security procedures; report incidents and vulnerabilitiesClause 7.3, 10.2

KPIs / Metrics to Track

  • Number and severity of security incidents (theft, tampering, breach, unauthorised access) per period and per node.
  • Cargo loss/shrinkage rate and value at risk versus target.
  • Seal integrity failure rate and container/trailer inspection discrepancy rate.
  • Percentage of high-risk suppliers assessed/audited on schedule and their remediation closure rate.
  • Access-control violation and tailgating incident counts; CCTV/alarm availability uptime.
  • Personnel vetting completion rate before deployment; training and awareness completion rate.
  • Mean time to detect and mean time to respond to security incidents.
  • Percentage of identified risks with treatment implemented and residual risk accepted.
  • Internal audit findings by clause, and corrective-action on-time closure rate.
  • Number of security drills/exercises conducted and issues identified/closed.
  • Chain-of-custody reconciliation exception rate and anti-diversion detection count.
  • Percentage of security objectives achieved per review cycle.

Readiness Checklist

  • Top-management sponsorship secured and security policy approved and communicated.
  • SMS scope documented with boundaries, exclusions and supply-chain interfaces defined.
  • Context, interested-party and legal/regulatory registers completed and maintained.
  • Documented security risk-assessment methodology adopted and applied across scope.
  • Risk register, risk-treatment plan and statement of applicable controls in place with residual risk accepted.
  • Security manager and roles/authorities assigned and communicated (RACI).
  • Measurable security objectives set with action plans and KPI targets.
  • Physical, personnel, information, cargo, transport, procedural and partner controls implemented with records.
  • Security plans for normal, elevated and incident conditions documented and exercised.
  • Competence matrix, training and awareness programmes delivered with records.
  • Communication and document-control procedures operating with version control.
  • Monitoring/KPI framework producing evidence; internal audit programme completed at least once.
  • Management review held with inputs, decisions and actions recorded.
  • Nonconformity and corrective-action process functioning with root-cause analysis.
  • Pre-assessment/gap review completed and material gaps closed prior to certification audit.

Common Gaps and Findings

  • Scope defined too narrowly or vaguely, excluding critical supply-chain interfaces or outsourced activities without justification.
  • Risk assessment is generic and not specific to actual supply-chain threats, nodes and modes; no link between risks and selected controls.
  • No statement of applicable controls or residual-risk acceptance signed by identified risk owners.
  • Security objectives absent or not measurable; no plans defining what, who, when and how evaluated.
  • Supplier/business-partner security not assessed or contractually imposed; multi-tier exposure ignored.
  • Weak personnel security: incomplete vetting, poor visitor/contractor control, no insider-threat consideration.
  • Cargo controls not evidenced: missing seal registers (ISO 17712), no inspection checklists, unverified telematics.
  • Information/cyber security of shipment data not integrated with the ISMS or overlooked entirely.
  • Security plans for elevated-threat and incident conditions missing or never exercised/drilled.
  • Internal audits not covering all clauses/sites, or auditors lacking independence/competence.
  • Management review held infrequently or without required inputs, decisions and follow-up actions.
  • Corrective actions treat symptoms without root-cause analysis; effectiveness never verified.
  • Documented information poorly controlled: obsolete versions in use, no retention/access controls.
  • Awareness gaps: staff cannot articulate the policy or their role in the SMS.

ISO 28000 Mapped to Other Frameworks

ISO 28000 shares the Harmonised Structure with other ISO management-system standards, enabling integrated audits and shared documentation. It also complements customs, aviation and cyber supply-chain regimes. The table below maps key ISO 28000 areas to related frameworks.

ISO 28000 areaRelated framework / controlMapping notes
Full SMS (Clauses 4–10)ISO 22301 (BCMS)Shared Harmonised Structure; security + continuity commonly integrated
Information/cyber security controls (8.4)ISO/IEC 27001 Annex A / ISO 27036SMS shipment-data protection integrates with ISMS supplier-security controls
Risk assessment and treatment (6.1)ISO 31000ISO 31000 provides the underpinning risk-management principles and process
Cargo and customs securityWCO SAFE Framework / AEOISO 28000 operationalises AEO/Authorised Economic Operator security criteria
US import supply-chain securityC-TPAT (CTPAT) minimum security criteriaStrong overlap on physical, personnel, cargo and partner security; supports mutual recognition
Maritime and port facility securityISPS Code / ISO 28001 / ISO 28004ISO 28000 provides the management system around ISPS operational requirements
Cyber supply-chain riskNIST SP 800-161 / SP 800-53 SR familyComplementary supplier-risk controls for the information dimension of the supply chain
Quality and process controlISO 9001Common clause structure enables integrated QMS/SMS management
Environmental and safetyISO 14001 / ISO 45001Shared structure supports an integrated management system (IMS)
How CyberSigma helps
CyberSigma provides end-to-end ISO 28000:2022 advisory and assessment. Our CERT-In empanelled and QSA-led team runs a structured gap assessment against all ten clauses and your operational control domains, builds a supply-chain-specific risk assessment and treatment plan, and drafts the full SMS documentation set (policy, objectives, procedures, security plans). We stand up physical, personnel, cargo, transport, information and business-partner controls, integrate the SMS with your existing ISO/IEC 27001, ISO 22301 and ISO 9001 systems, and prepare you for accredited certification through internal audits, exercises and management review. Talk to CyberSigma to plan your ISO 28000 certification journey and strengthen the security and resilience of your supply chain.

Frequently asked questions

Is ISO 28000 certifiable?
Yes — organisations can be certified to ISO 28000:2022 by an accredited certification body.
Official documents

Need help with ISO 28000?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.